As I understand, VC is only impacted when customer uses VC(E)M using exotic browsers that use OpenSSL (which ones are those OR maybe easier, which ones do not use OpenSSL) ?

I just would have expected a bit more detailed info on this.

Many thanks in advance.

************

Input from Fred:

*************

Hello Dennis,

VC 4.30 contains the fix for this vulnerability. No version of VC contains the OpenSSL server vulnerability mentioned in the CVE.

Pre-4.30 versions of VC are vulnerable as OpenSSL clients if communicating with a vulnerable OpenSSL server. VCM OpenSSL client sessions to LDAP servers are a negligible risk as Microsoft AD LDAP server is not vulnerable and is the prevalent LDAP server used with VC.

Given Fred’s information I am still not feeling comfortable in deciding whether it is necessary for my customer to upgrade to VC 4.30 or not.

Coming back to the remark of Vincent on the browsers, customer uses IE 8.0 and Chrome 35.0.1916.153 m.

Not sure these are the only SW/things to look at ? ….. but for those I assume they don’t use OpenSSL ?

Can someone confirm this and//or provide any additional information to look for, in deciding for the need of VC 4.30 ?

Many thanks in advance.

*************

From Vincent:

***************

Dennis,

Fred said "No version of VC contains the OpenSSL server vulnerability mentioned in the CVE ". That means when you're connecting to VCM with a Web browser (when VCM acts as a SSL server), you are NOT vulnerable, regardless of the browser using OpenSSL or not (and none of the browsers you mention do, the only somewhat common browser that uses OpenSSL is Chrome on Android devices, but again this is irrelevant here).

It's only when VC acts as SSL *client*, typically to an LDAP server, that versions < 4.30 are potentially vulnerable if the other end is vulnerable too. So if your customer doesn't use an external directory, or even if they do and that directory is Microsoft AD and not OpenLDAP, they're not exposed either.